RDP Hacks: Thwarting the Bad-Guy Network

Jason Fredrickson

Brian Krebs of Krebs on Security just posted an article on RDP hacks that exploit weak or default login credentials, and goes on to describe how that provides the basis for a cybercrime business. His article explains that Makost[dot]net rents access to more than 6000 poorly configured and, therefore, compromised Remote Desktop Protocol (RDP)-enabled servers around the globe. As Krebs says, “…the attackers simply needed to scan the Internet for hosts listening on port 3389 (Microsoft RDP), identify valid usernames, and then try the same username as the password.” It’s a classic brute-force attack and it’s aimed directly at an extremely weak target.

Many people on first reading this would consider this capability a “vulnerability” of Windows, but that’s like saying that an automated teller machine (ATM) has a “vulnerability” that allows you to get cash from your bank account. It’s a feature of the operating system and Windows is not alone in exposing functionality like it.

A malware- and exploit-free threat
The interesting aspect of this RDP hack phenomenon is that it’s a purely access-based threat: no malware, no exploit involved. At its heart, this cyber-criminal operation is based on a list of compromised accounts for specific machines on specific networks. No malware detection system could identify these threats because they used valid login credentials.

This is the perfect example of what I mean when I say that the bad guys are working together productively and the good guys aren’t yet. Makost[dot]net is just one of many black-market information brokerages selling access to these exploits to anyone with the cash. Any attacker can start from zero, swipe a credit card, and immediately punch a hole right through your perimeter.

As an aside, one place for the good guys to start working together would be to create a system to notify the owners of these systems that they’ve been compromised, because as long as they remain unaware, the attackers still have an open door into their networks. And the attackers may be able to use these machines as springboards for attacking other organizations.

What alerting systems can never identify, anomaly-based approaches can

If your organization regularly uses RDP for any legitimate purpose, it’s going to be nearly impossible to identify which accesses are valid and which are attacks because they all use those same valid credentials—unless you regularly create and update baselines of normal behavior for those RDP-enabled endpoints. There is nothing for any security tool to detect in this scenario except deviations from baselines.

This threat is particularly dangerous in a world where virtual machines (VMs) are increasingly common, often cloned from each other en masse. Nearly all VMs enable remote desktop access and users creating them often assume–incorrectly– that they’ll be running in “secure” environments.

Krebs suggests running a quick external port scan of your organization’s internet address ranges to find out whether any RDP-equipped systems are enabled, then points to this University of California at Berkeley document for additional tips on locking down RDP installations. This is a good start, but I would add that you need the ability right now—today—to do these three things:

#1 - Establish visibility to your endpoints.
#2 - Start running baselines of normal behavior on and between those endpoints.
#3 - Set up a way to begin receiving regular alerts on anomalous behavior relative to those baselines. 

EnCase® Analytics can help with all three. In the meantime, sites like Makost just illustrate how important it is for the good guys to start working together as productively as the bad guys have been.

Have suggestions? War stories? I welcome discussion in the comments section below.

No comments :

Post a Comment